# What is Vulnerability Management?

Vulnerability Management is the process of identifying security flaws and vulnerabilities in software, reporting on these so they can be fixed, with a goal of reducing the risk and impact of cyber-attacks. This is a very important aspect of network and computer security, as it works to reduce the attack surface, a term used to describe the number of potential security flaws a malicious actor could exploit to cause harm to an organization. The process includes the following steps:

 - Identification – Using vulnerability scanners, manual techniques, and asset discovery methods to identify and record systems (such as servers, desktops, laptops, mobiles, IoT devices), along with any security issues they have, with scores based on different factors (see CVSS scores). - 
Reporting – Reporting these issues to appropriate stakeholders (such as system owners) so they can be addressed, and eventually resolved. - 
Remediation – Having the security issues fixed by the system owner or technical owner so that the security flaw is no longer present. Different metho s can be used to remediate vulnerabilities, such as security patches, reconfigurations, or mitigating control
   s - .
Reassessment – Scanning or manually checking to ensure the security issues have been successfully fixed.

This is a cyclic process, so assets should routinely be scanned, especially after major changes. Identifying and fixing vulnerabilities quickly means malicious actors have less time to discover and exploit them.

# Why is it Useful?

Vulnerabilities are announced constantly, and most of them affect software that is used on a mass scale. 50 new vulnerabilities were detected every day on average in 2017 [1]. Examples include security flaws in Google Chrome, the Windows operating system, and other common programs such as Adobe Flash Player, and Adobe Shockwave Player.

Being able to keep on top of these issues, and make sure products are patched as soon as possible (usually after testing, to ensure there are no unwanted effects from the patch), means that hackers have less time to attempt exploitation.

By ensuring internet-facing systems are secure, it’s harder for attackers to get in, and by ensuring internal systems are secure, it’s harder for attackers to move around, and complete the actions they want to, such as privilege escalation or information harvesting.

# Associated Roles

## Threat Intelligence Analyst

Receiving and reporting on intelligence about newly released vulnerabilities, or vulnerabilities that are actively being exploited in the wild, and by which threat actors. Intelligence Analysts will usually have access to commercial tools that allow them to observe exploitation activity on a global scale, as well as underground discussions about vulnerabilities, helping the Vulnerability Analysts to prioritize which issues need to be fixed first.

## Vulnerability Analyst

Identifying, reporting on, and helping to remediate vulnerable assets to harden the estate and reduce risk from cyber-attacks. Daily tasks include vulnerability scanning, analyzing results, performing manual checks, reporting on security flaws, and keeping up-to-date with the latest publicly available news regarding vulnerabilities, as well as receiving threat intelligence reports from Intelligence Analysts.ms remediated.

## Incident Responder

Knowledge about vulnerabilities, and how to deal with compromises as a result of successful exploitation is key in knowing how to respond in the most effective way.

 



## Penetration Tester / Red Teamer

Knowing how to identify and scan for vulnerabilities and security flaws is key to this role, allowing you to exploit systems and gain access for security purposes, reporting on these so that Vulnerability Analysts can work with stakeholders to get the systems remediated.

# A Day in the Life

I was previously responsible for ensuring that thousands of endpoints around the world, including servers, websites, workstations, networking equipment, IoT, and mobile devices all stay secure. Sounds like fun, right? Hmm… yeah.

I’m kidding – I loved it. In this role, you get a perfect mix of Red and Blue team. You get to hack stuff, but then get it fixed so some nasty threat actor can’t do the same.

Over the past year (2019) we’ve had some pretty nasty vulnerabilities. Arguably the most important has been CVE-2019-0708, a zero-day vulnerability in Windows Remote Desktop Services (RDP). This remote code execution vulnerability could allow a hacker to bypass any authentication over RDP and connect directly to a system over the internet without valid credentials. This was BIG. I read some of the first public announcements on Twitter, and immediately set up some Tweetdeck columns to monitor for keywords such as “CVE-2019-0708”, “RDP”, “zeroday”, and “bluekeep”. I turned to the other analysts in the Vulnerability Management team and said, “guys, take a look at this”, and sent them the details. At this point we genuinely laughed, because we knew this would be huge and we’d be very busy. I send an email to the wider Security Operations team providing everyone with a situational awareness update and inform the SOC Manger and SecOps Director. Next we draft up an email notification that is going to essentially every department we have, informing them to apply the Microsoft-issued security patches for everything back to Windows XP (yeah, it was so bad Microsoft brought out patches for end-of-life systems). Our email also mentioned that if anything didn’t need RDP open, disable the service ASAP. We got our global DMZs patched the same day, and people began queueing patches for internal assets. Over the next few days we ran vulnerability scans against our internet-facing systems to see if RDP was still present anywhere. Other OSINT sources like Shodan helped us check for exposure. Throughout the week we also had Threat Intelligence analysts looking to see if any Public Exploit Code (also known as Proof of Concept code) or exploits were detected in the wild. I also shared any intelligence I discovered myself via a government-owned information sharing platform. 

Although events like this aren’t common, there’s always work to do. Researching publicly announced vulnerabilities, checking them against the estate, getting systems patched, vulnerability scanning, manually checking and exploiting vulnerabilities, threat simulation attacks, analyzing reports generated by OSINT sources such as Shodan and ShadowServer, communicating with teams in other organizations, helping investigate SIEM alerts regarding vulnerability/system exploitation, web-app pentesting our sites, and much more.

# Building a Career in Vulnerability Management

To start, it’s worth mentioning that this is all my own opinion, and is not a definitive guide to landing a job as a Vulnerability Analyst. SBT or myself are not endorsed by any companies/websites/services mentioned in this page, they’re just good at what they do. Take this as some friendly advice, based on my experiences and the thoughts of my fellow Analysts.

If you think a Vulnerability Analyst role sounds interesting, and you want to try to land a job in this position, then below is some advice including skills to focus on, experiences to gain, and other ways you can potentially improve your chances. Good luck!

# Security-Related Knowledge

- Getting hands-on with vulnerability scanners such as Nessus, OpenVAS, and Nikto. This shows that you understand how these tools work, how to conduct vulnerability scans, and what their outputs look like. You can get experience like this by downloading the Metasploitable 2 intentionally vulnerable virtual machine (covered later in this course), downloading other vulnerable virtual machines from VulnHub, or scanning machines on penetration testing platforms such as Hack The Box.
- Show that you keep up-to-date with the latest security news, especially surrounding vulnerabilities. You can do this by using platforms such as TweetDeck to monitor for terms such as “vulnerability”, “CVE”, and other phrases that will show tweets regarding vulnerabilities and exploitation (Read my Reddit post about using TweetDeck)
- Have a blog with hacking write-ups, or a Github with custom tools. These will both go a LONG way when trying to get your first job in security, or even move up the ladder. By running a blog, it shows that you are really motivated and driven, something that is very attractive in employees. Writing up how you hacked or ‘owned’ machines on HackTheBox is a great activity, and shows that you understand how to identify and exploit vulnerabilities. With custom tools, it shows that you’re a problem solver, and you can create tools to help overcome problems, or speed up tasks. Create your own Github account, clone an open-source tool, and start making your own changes or additions is a great place to start.art.

# CVEs and CVSS Scores.

CVEs and CVSS scores are two things you’ll hear a lot about when dealing with vulnerabilities. They help us to share information regarding security issues, and rate them using a scale from Low to Critical using numerical values based on a large number of factors. This lesson will quickly cover what they are, and why they’re really important to us.

- CVE, which stands for Common Vulnerabilities and Exposures, is a way to standardize names for publicly-known vulnerabilities. I like to think of CVEs working like domain names. Everyone knows www.Google.com, but most people don’t know the website IP. We use www.Google.com because it’s convenient, easy to remember, and easy to use. The same goes for CVEs. I know that CVE-2019-0708 is assigned to the Remote Desktop Protocol (RDP) zero-day remote code execution vulnerability named ‘BlueKeep’. It makes life easier when talking about vulnerabilities, or sharing information between different vulnerability databases, tools, and services. The term CVE, which is copyrighted by MITRE (to ensure it remains free and usable by the security community), is stated that “CVE Entries are comprised of an identification number, a description, and at least one public reference.” [1]

https://CVEDetails.com is a security vulnerability database that has lots of information and can allow us to search for specific CVEs, or even look at vulnerabilities sorted by release date.

- Carrying on from the CVE example above, under the “Severity” heading there is a section that states
Vector:  CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.
This is the Common Vulnerability Scoring System, used to help rank vulnerabilities based on their attributes. Whilst this may look like some confusing code, it’s actually fairly simple. Base Score: 8.8 HIGH tells us that this vulnerability has a high severity. The idea behind these scores is that it provides value at a glance, so you can look at the score and immediately tell if this vulnerability is bad. Obviously this is a general score, and what may be a critical vulnerability for one company but not affect another company at all – it all depends on the products and versions you’re using, the security controls you have in place, and a number of other factors, so this score value should only be taken as a generic guideline.

- CVSS:3.0 = This score is generated using CVSS 3.0 (as opposed to version 2.0) system)

- AV:N = Attack Vector: Network (Exploitation can occur over a network, such as the Internet)
- AC:L = Attack Complexity: Low (This attack is easy to conduct, and requires little technical sophistication)
- PR:N = Privileges Required: None (The attacker does not need an account with any specific permissions for successful exploitation)
- UI:R = User Interaction: Required (Exploitation does rely on a legitimate user doing something, such as clicking something or opening a malicious file)
- S:U = Scope: Unchanged (The scope for this vulnerability has not been changed)
- C:H = Confidentiality Impact: High (Confidentiality is broken, meaning the attack will gain access to files or information that should be restricted)
- I:H = Integrity Impact: High (Integrity is broken, meaning the attack is able to modify files or information)
- A:H = Availability Impact: High (Availability is broken, meaning the attack can restrict legitimate access to a system)